The Netherlands is one of Europe';s most active fintech hubs, and any company offering payment services, electronic money, or related financial products there must hold a valid licence issued or recognised by Dutch supervisory authorities. Operating without the correct authorisation exposes a business to enforcement action, administrative fines, and forced cessation of services - risks that materialise faster than most founders anticipate. This article explains the regulatory framework, the licensing pathways, the competent authorities, the procedural timelines, and the practical pitfalls that international businesses most commonly encounter when entering the Dutch fintech market.
The Netherlands has implemented the European Union';s core financial services directives into national law through a layered statutory structure. The primary instrument is the Wet op het financieel toezicht (Financial Supervision Act, Wft), which governs the authorisation and ongoing supervision of virtually all financial service providers operating in the country. The Wft is supplemented by the Besluit Gedragstoezicht financiële ondernemingen Wft (Decree on Conduct of Business Supervision, BGfo), which sets out detailed conduct-of-business requirements.
For payment services specifically, the EU';s revised Payment Services Directive (PSD2) was transposed into Dutch law primarily through amendments to the Wft and the Besluit prudentiële regels Wft (Decree on Prudential Rules, Bpr Wft). PSD2 defines nine categories of payment service, and any entity providing one or more of those services on a commercial basis in the Netherlands must either hold a Payment Institution (PI) licence, register as a Small Payment Institution (SPI), or qualify for a specific exemption.
Electronic money issuance is governed by the Electronic Money Directive (EMD2), also implemented through the Wft. An entity that issues electronic money - prepaid cards, digital wallets, stored value instruments - must hold an Electronic Money Institution (EMI) licence, which carries stricter capital and safeguarding requirements than a standard PI licence.
Crypto-asset service providers face an additional layer. Under the Anti-Money Laundering and Counter-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme, Wwft), crypto exchanges and custodian wallet providers must register with De Nederlandsche Bank (DNB). The EU Markets in Crypto-Assets Regulation (MiCA), which became directly applicable across all member states in stages, adds a further authorisation requirement for a broader range of crypto-asset services. Dutch businesses must now plan for compliance with both the existing Wwft registration and the MiCA licence simultaneously.
Two authorities share supervisory responsibility over fintech and payment businesses in the Netherlands, and understanding their respective mandates is essential before filing any application.
De Nederlandsche Bank (DNB) is the prudential supervisor. DNB grants and revokes licences for payment institutions, electronic money institutions, and crypto-asset service providers. It assesses capital adequacy, governance structures, fit-and-proper requirements for directors and qualifying shareholders, and safeguarding arrangements for client funds. DNB also supervises compliance with AML/CFT obligations under the Wwft.
The Autoriteit Financiële Markten (AFM) is the conduct-of-business supervisor. AFM oversees how financial products are marketed, sold, and managed in relation to retail clients. For fintech companies offering consumer-facing payment products, investment services, or credit, AFM';s requirements on transparency, client communication, and complaint handling apply in parallel with DNB';s prudential rules.
In practice, a company launching a consumer payment app in the Netherlands must satisfy both regulators simultaneously. A common mistake made by international applicants is to focus exclusively on DNB';s prudential checklist while underestimating AFM';s conduct requirements, which can delay a product launch by several months even after a licence is granted.
The Innovation Hub, operated jointly by DNB and AFM, provides informal guidance to innovative businesses before they submit a formal application. Engaging with the Innovation Hub early - ideally six to twelve months before the intended market launch - allows a company to clarify its regulatory classification and identify gaps in its compliance framework without triggering a formal supervisory process.
To receive a checklist on preparing for DNB and AFM engagement for fintech licensing in the Netherlands, send a request to info@vlolawfirm.com
Choosing the correct licence category is the first and most consequential decision a fintech business makes in the Netherlands. Each category carries different capital requirements, safeguarding obligations, and ongoing reporting burdens.
Payment Institution (PI) licence under Article 2:3a Wft authorises a company to provide one or more of the nine PSD2 payment services on a full commercial scale. The minimum initial capital requirement varies by service type: for money remittance it starts at EUR 20,000, for payment initiation services at EUR 50,000, and for account information services there is no minimum capital requirement but registration is mandatory. For entities providing account-holding or card-issuing services, the minimum capital is EUR 125,000. DNB assesses the business plan, the governance structure, the AML/CFT programme, the IT security framework, and the safeguarding mechanism for client funds - either segregation in a dedicated account or insurance coverage.
Electronic Money Institution (EMI) licence requires minimum initial capital of EUR 350,000 and ongoing own funds calculated as a percentage of outstanding electronic money. Safeguarding requirements are stricter: client funds must be held in segregated accounts at a credit institution or invested in secure, liquid, low-risk assets. EMIs may also provide payment services ancillary to their e-money activities, which makes the EMI licence attractive for businesses building multi-function digital wallets.
Small Payment Institution (SPI) registration is available to businesses whose monthly payment transaction volume does not exceed EUR 3 million on a rolling twelve-month average. SPI registration under Article 2:3f Wft involves a lighter-touch process - no minimum capital requirement, simplified governance documentation - but carries significant restrictions: SPIs cannot passport their services into other EU member states, and they remain subject to Wwft obligations. Many early-stage fintech companies start as SPIs and upgrade to a full PI licence once their transaction volumes grow.
Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) that do not hold client funds occupy a distinct regulatory position. AISPs must register with DNB and hold professional indemnity insurance of at least EUR 1.5 million per claim. PISPs must hold either professional indemnity insurance or a guarantee of at least EUR 1 million per claim. Both categories must comply with PSD2';s strong customer authentication (SCA) requirements and the regulatory technical standards issued by the European Banking Authority (EBA).
Exemptions exist for limited networks (loyalty schemes, fuel cards, closed-loop systems) and for certain commercial agents acting on behalf of a single payer or payee. These exemptions are narrowly construed by DNB, and a non-obvious risk is that a business which initially qualifies for an exemption may lose that status as its product evolves - triggering a retroactive licensing obligation that the company was not tracking.
The DNB licensing process for a PI or EMI licence is structured and demanding. Understanding the procedural sequence prevents costly delays.
The formal application is submitted through DNB';s online portal. DNB has a statutory assessment period of three months from receipt of a complete application, extendable to twelve months in complex cases. In practice, the initial submission is rarely complete on first filing: DNB typically issues a request for additional information within four to six weeks, and the three-month clock does not start until DNB confirms the application is complete. Businesses that underestimate the documentation burden routinely experience total timelines of nine to eighteen months from first submission to licence grant.
The core documentation package for a PI or EMI application includes:
Fit-and-proper assessment of directors and qualifying shareholders (those holding 10% or more of shares or voting rights) is conducted by DNB separately. Each person subject to assessment must submit a detailed questionnaire covering professional background, financial history, and criminal record. This process alone can take two to three months and is a frequent source of delay when applicants have complex international ownership structures.
Legal and advisory costs for preparing a complete PI or EMI application typically start from the low tens of thousands of EUR, depending on the complexity of the ownership structure and the number of services covered. State supervision fees charged by DNB are assessed annually based on the institution';s balance sheet or transaction volumes, and applicants should budget for these ongoing costs from the outset.
A common mistake made by international founders is to appoint a Dutch-registered entity as the licence applicant without ensuring that genuine substance - senior management, compliance function, IT infrastructure - is located in the Netherlands. DNB applies a substance-over-form analysis and will reject or revoke a licence where the Dutch entity is a shell with all real operations conducted from another jurisdiction.
The Netherlands'; membership in the European Economic Area (EEA) gives licensed Dutch payment institutions and electronic money institutions access to the EU passport mechanism. Under Articles 28 and 29 of PSD2, a Dutch-licensed PI or EMI may notify DNB of its intention to provide services in another EEA member state, either on a freedom-of-services basis or by establishing a branch. DNB notifies the host state';s competent authority, and the institution may begin operating in the host state within one to three months of notification, depending on whether a branch is involved.
This passporting right makes a Dutch PI or EMI licence strategically valuable for businesses targeting multiple European markets. However, passporting does not exempt the institution from the host state';s conduct-of-business rules, local AML/CFT requirements, or consumer protection obligations. A non-obvious risk is that several EEA member states have imposed additional requirements on passporting institutions that go beyond the PSD2 minimum, and non-compliance in a host state can trigger enforcement action that reflects back on the Dutch licence.
MiCA introduces a parallel authorisation regime for crypto-asset service providers (CASPs). Under MiCA, a Dutch-registered CASP must obtain authorisation from DNB, which then notifies the European Securities and Markets Authority (ESMA). MiCA authorisation also carries an EU passport, allowing the CASP to operate across all member states. Businesses that currently hold a Wwft crypto registration with DNB must assess whether their activities fall within MiCA';s scope and, if so, apply for MiCA authorisation within the transitional periods specified in the regulation.
The interaction between the Wwft registration, the MiCA authorisation, and any existing PI or EMI licence creates a compliance matrix that requires careful mapping. Many businesses discover that their product roadmap - adding stablecoin functionality to an existing payment app, for example - triggers a new regulatory category that requires a separate authorisation process running in parallel with ongoing operations.
To receive a checklist on MiCA compliance and passporting strategy for Dutch-licensed fintech companies, send a request to info@vlolawfirm.com
Holding a licence is the beginning, not the end, of regulatory engagement in the Netherlands. DNB and AFM conduct ongoing supervision through a combination of periodic reporting, on-site inspections, thematic reviews, and ad hoc information requests.
Under the Wwft, all licensed payment institutions, EMIs, and registered crypto-asset service providers are obliged to conduct customer due diligence (CDD) on all clients, apply enhanced due diligence (EDD) to high-risk clients and politically exposed persons (PEPs), monitor transactions on an ongoing basis, and report unusual transactions to the Financial Intelligence Unit - Netherlands (FIU-Nederland). The Wwft implements the EU';s Fourth and Fifth Anti-Money Laundering Directives and is regularly updated to reflect FATF recommendations.
DNB';s supervisory approach to AML/CFT has become significantly more intensive in recent years. Institutions that fail to maintain adequate transaction monitoring systems, that cannot demonstrate effective governance of their compliance function, or that show persistent gaps between their written policies and actual practice face enforcement measures that range from formal instructions (aanwijzing) to administrative fines and, in serious cases, licence revocation. Administrative fines under the Wft can reach EUR 5 million or, for certain violations, up to 10% of annual turnover.
In practice, it is important to consider that DNB';s enforcement priorities shift over time. Businesses that calibrate their compliance investment to the minimum required at the time of licensing may find themselves materially non-compliant within two to three years as supervisory expectations evolve. Proactive engagement with DNB - including voluntary disclosure of compliance gaps and remediation plans - consistently produces better outcomes than reactive responses to formal enforcement action.
AFM';s conduct supervision focuses on product governance, marketing communications, client onboarding disclosures, and complaint handling. For fintech companies offering payment products to retail consumers, AFM expects clear, accurate, and non-misleading product descriptions, fair pricing disclosures, and accessible complaint procedures. AFM has the power to impose public warnings, order product withdrawals, and impose fines of up to EUR 2 million for conduct violations.
Three practical scenarios illustrate how the regulatory framework applies in different business contexts.
A US-based fintech company seeking to offer euro-denominated digital wallets to European consumers establishes a Dutch subsidiary and applies for an EMI licence. The application process takes fourteen months due to the complexity of the group';s ownership structure and the need to restructure the Dutch entity';s governance to satisfy DNB';s substance requirements. The company launches in the Netherlands and passports into six other EEA states within three months of licence grant.
A UK-based payment institution that previously relied on its FCA authorisation to serve Dutch clients under the EU passport lost that right following the UK';s departure from the EU. It establishes a Dutch entity, applies for a PI licence, and must demonstrate to DNB that the Dutch entity has genuine operational substance - a resident compliance officer, a Dutch-based IT environment, and a board with a majority of Netherlands-resident members.
A crypto exchange that registered with DNB under the Wwft before MiCA';s application date must now assess whether its services - spot trading, custody, transfer of crypto-assets - fall within MiCA';s CASP definition. Finding that they do, it prepares a MiCA authorisation application while simultaneously maintaining its Wwft registration, managing two parallel regulatory processes with overlapping but not identical documentation requirements.
What is the most significant practical risk for a foreign fintech company entering the Dutch market without local legal advice?
The most significant risk is misclassifying the regulatory category of the intended service. A business that believes it qualifies for an SPI registration or a limited-network exemption, but whose product actually requires a full PI or EMI licence, will be operating without authorisation from the moment it processes its first transaction. DNB can issue a cease-and-desist order, impose fines, and publicise the enforcement action - all of which cause reputational damage that is difficult to reverse. The classification analysis must be conducted before any commercial activity begins, not after the product is live.
How long does it realistically take to obtain a Dutch payment institution licence, and what does it cost?
Realistically, a well-prepared applicant with a straightforward ownership structure and a complete documentation package should budget twelve to eighteen months from first engagement with DNB to licence grant. Applicants with complex international structures, multiple qualifying shareholders requiring fit-and-proper assessment, or novel business models that require regulatory clarification should budget eighteen to twenty-four months. Legal and advisory costs for preparing and managing the application typically start from the low tens of thousands of EUR and can reach the mid-hundreds of thousands for complex group structures. Ongoing DNB supervision fees add a recurring annual cost that scales with the institution';s size.
When should a fintech business choose an EMI licence over a PI licence, and is there a strategic case for starting with SPI registration?
An EMI licence is necessary when the business model involves issuing electronic money - storing client funds on a digital account or prepaid instrument that can be used for payments. If the business only executes payment transactions without holding client funds in a stored-value form, a PI licence is sufficient. Starting with SPI registration makes strategic sense for early-stage businesses with limited transaction volumes that want to test product-market fit before committing to the full PI application process. The SPI route is faster and cheaper, but the EUR 3 million monthly volume cap and the absence of passporting rights mean that a growing business will need to upgrade to a full PI licence within twelve to twenty-four months of launch in most cases. Planning the upgrade from the outset - rather than treating it as an afterthought - avoids a period of operational disruption when the volume threshold is approached.
Fintech and payments regulation in the Netherlands is sophisticated, multi-layered, and actively enforced. The combination of DNB';s prudential supervision, AFM';s conduct oversight, Wwft AML/CFT obligations, and the evolving MiCA framework creates a compliance environment that rewards early, thorough preparation and penalises reactive approaches. Businesses that invest in regulatory strategy before entering the Dutch market consistently achieve faster licensing timelines, lower remediation costs, and more durable operating models than those that treat compliance as a secondary concern.
To receive a checklist on the complete licensing and compliance roadmap for fintech and payments businesses in the Netherlands, send a request to info@vlolawfirm.com
Our law firm VLO Law Firms has experience supporting clients in the Netherlands on fintech regulation, payment institution licensing, EMI authorisation, MiCA compliance, and AML/CFT programme development. We can assist with regulatory classification analysis, DNB and AFM application preparation, fit-and-proper documentation, passporting notifications, and ongoing supervisory engagement. To receive a consultation, contact: info@vlolawfirm.com